Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »

Overview

The CCC SSO Initiative provides single sign-on capability to colleges and districts allowing their student population to authenticate to secure web applications such as MyPath, Canvas, Hobsons, and Library Service Platform using the same login credentials used to log into other services at the college or district.

  • Single sign-on is achieved by implementing a SAML2 compliant Identity Provider - such as Shibboleth, PortalGuard or the Ellucian Identity Service.
  • MyPath, Canvas, and Library Services are statewide initiatives that require a common identifier for students that may attend multiple community colleges.  
  • The CCCID, the statewide student identifier established in OpenCCC is the common identifier that will be used across initiatives.

The CCCID

Use of the CCCID requires that colleges or districts pass the CCCID to MyPath, Canvas etc as a SAML attribute in the authorization request from their SAML identity provider.

 Click here to read more about the CCCID as a required attribute for CCC SSO initiative...

Colleges that participate in CCCApply have the capability of downloading a CCCID as part of the application download process for a student.  Many colleges that download the CCCID from CCCApply store the CCCID in the student's SIS or Active Directory account which allows them to easily pass CCCID as a SAML attribute.  Colleges that do not use Apply, colleges with students that applied previously to or outside of CCCApply, or colleges that choose not to store the CCCID are unable to pass the CCCID as a SAML attribute.

Because the CCCID is a requirement for participating in the statewide initiatives, the SSO proxy was introduced as a means to associate a CCCID with a Identity Provider authorization request when the CCCID is not available to the college at authorization time.

This CCCID achieved by the SSO proxy intercepting the authorization request, determining if a CCCID was passed as a SAML attribute, and prompting the student to either create a new or recover an existing OpenCCC account if a CCCID was not included in the request.

Demo - The SSO Proxy: The Student Experience

The following demos illustrate the student user experience when they pass through the SSO Proxy to access a secure CCC web application, depending on the college's ability to pass a CCCID as a SAML attribute.

These particular scenarios focus on a student logging into MyPath from a College website, but the same experience would be true for Common Assessment, Canvas, or any other CCC web application.

Video 1: Various Student Experiences with the SSO Proxy 


Scenario 1: Student Never Sees the Proxy

This scenario illustrates is the most streamlined user experience because it allows students who already have an OpenCCC account (meaning they have a CCCID, even if they don't remember what it is) to login to any secure CCC web application without interruption or interaction with the SSO proxy.  

IMPORTANT: In order for this scenario to work, the college MUST STORE all CCCIDs in their Active Directory and PASS THE CCCID as a SAML attribute. If the college does not upload and store CCCIDs in their Active Directory, EVERY student will have to interface with the SSO Proxy in some way (see Scenario Two and Three below). To avoid unnecessary interruption to the student experience, store CCCIDs in your Active Directory.


Demo:
Rose Reeves is a student at College A.  Rose applied to College A through CCCApply over a year ago, and College A downloaded her CCCID as part of their CCCApply application download process.

College A was able to store Rose's CCCID in her Active Directory account which enabled College A's IDP to send the CCCID as one of the SAML attributes.

Because the college IDP was able to send the CCCID as a SAML attribute, the proxy identifies the student by their CCCID and passes the student directly to MyPath (or their destination Application) without any further interaction with the proxy.

Step 1.1

Rose clicks on "MyPath Login" from the College A website.

Step 1.2

College A's Identity Provider login page is displayed.

Rose enters her college userid and password and clicks "Login"


Step 1.3

The proxy detects that the CCCID was passed as a SAML attribute and authenticates Rose to MyPath without any further interaction.


Scenario 2: SSO Proxy Prompts Student to Create an OpenCCC Account

John Demo is a returning student at College A but never applied using CCCApply. Because College A never downloaded an application for John Demo, College A's IDP was unable to pass his CCCID because it doesn't exist. 

Because College A's IDP was unable to send the CCCID as a SAML attribute, the SSO proxy will direct John Demo to OpenCCC where John can retrieve his existing CCCID account if he has one, or create a new OpenCCC account.

NOTE: There are other reasons why a student may

Step 2.1

John selects "MyPath Login" from the College A website.

Step 2.2

College A's Identity Provider login page is displayed.

John enters his college userid and password and clicks "Login"

Step 2.3

The SSO proxy detects that no CCCID SAML attribute was sent with the authentication request.

The SSO proxy redirects John to OpenCCC where John can either login with his existing OpenCCC account, recover his OpenCCC account, or create a new OpenCCC account.

John selects "Create a new Account"

Step 2.4

John is directed to the Create Your OpenCCC Account.

John selects "Begin Creating My Account"

Step 2.5

John creates an OpenCCC Account

Step 2.6

Account creation is complete.

John is asked to remember his OpenCCC username and password

John clicks "Continue"

Step 2.7

John logs into OpenCCC with the username and password defined in the previous steps.

At this point the SSO Proxy remembers the CCCID for future logins.

Step 2.8

John is directed to the MyPath main page.



Scenario 3:  SSO Proxy Remembers Student in Future

Because John Demo was directed by the SSO proxy to create a new OpenCCC account in the previous scenario, the SSO proxy "remembered" the CCCID associated with John Demo's College A login account.

Because the SSO Proxy remembered John Demo's CCCID, he will not be required to create or recover his CCCID on all new login attempts to MyPath via the College A's IDP


Step 3.1

John clicks on "MyPath Login" from the College A website.

Step 3.2

College A's Identity Provider login page is displayed.

John enters his college userid and password and clicks "Login"


Step 3.3

John is directed to the MyPath main page.


  • No labels